前言:
此刻朋友们对“centos7无法解析域名”都比较关注,兄弟们都想要剖析一些“centos7无法解析域名”的相关文章。那么小编在网上汇集了一些有关“centos7无法解析域名””的相关资讯,希望兄弟们能喜欢,各位老铁们快快来了解一下吧!DNS服务类型
主机记录
记录类型
记录值
ns1
A
192.168.1.1
ns2
A
192.168.1.2
www
A
192.168.1.100
bbs
CNAME
www
ftp
A
192.168.1.110
MX 10
192.168.1.120
一、服务配置
安装与配置简洁示例,详细配置可参考下面章节:
# 1. 安装DNS服务[root@vm ~]# yum -y install bind bind-utils# 2. 启动DNS服务[root@vm ~]# systemctl enable named --now[root@vm ~]# systemctl status named[root@vm ~]# systemctl stop named[root@vm ~]# systemctl start named[root@vm ~]# systemctl restart named# 3. 修改 NAME_SERVER[root@vm ~]# vi /etc/resolv.confnameserver 127.0.0.1# 4. 修改named.conf配置文件[root@vm ~]# cp /etc/named.conf{,_bak}[root@vm ~]# sed -i -e "s/listen-on port.*/listen-on port 53 { any; };/" /etc/named.conf[root@vm ~]# sed -i -e "s/allow-query.*/allow-query { any; };/" /etc/named.conf[root@vm ~]# sed -i '/recursion yes;/a \ forward first; \ forwarders { 114.114.114.114; 8.8.8.8; };' /etc/named.conf[root@vm ~]# sed -i -e "s/dnssec-enable.*/dnssec-enable no;/" /etc/named.conf[root@vm ~]# sed -i -e "s/dnssec-validation.*/dnssec-validation no;/" /etc/named.conf # 5. 修改 zones 文件 [root@vm ~]# cat >> /etc/named.rfc1912.zones << EOFzone "crc.testing" IN { type master; file "crc.testing.zone"; allow-update { none; };};zone "apps-crc.testing" IN { type master; file "apps-crc.testing.zone"; allow-update { none; };};EOF [root@vm ~]# cat > /var/named/crc.testing.zone << EOF\$TTL 1D@ IN SOA crc.testing. admin.crc.testing. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.crc.testing. * IN A ${NAME_SERVER}EOF [root@vm ~]# cat > /var/named/apps-crc.testing.zone << EOF\$TTL 1D@ IN SOA apps-crc.testing. admin.apps-crc.testing. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum NS ns.apps-crc.testing. * IN A ${NAME_SERVER}EOF# 6. 重启DNS服务[root@vm ~]# systemctl restart named快速示例二(use) :
# 临时关闭SELinux与防火墙[root@localhost ~]# setenforce 0[root@localhost ~]# systemctl stop firewalld # 永久关闭[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config[root@localhost ~]# systemctl disable firewalld #查看selinux, firewalld 状态[root@localhost ~]# getenforcePermissive[root@localhost ~]# systemctl status firewalld # 1. 安装DNS服务[root@vm ~]# yum -y install bind bind-utils # 2. 启动DNS服务[root@vm ~]# systemctl enable named --now[root@vm ~]# systemctl status named[root@vm ~]# systemctl stop named[root@vm ~]# systemctl start named[root@vm ~]# systemctl restart named # 3. 修改 NAME_SERVER 和 ifcfg 文件[root@vm ~]# vi /etc/resolv.confnameserver 127.0.0.1 [root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)DNS1=192.168.0.134# 重启网络服务[root@vm ~]# systemctl restart network # 4. 修改named.conf配置文件[root@vm ~]# cp /etc/named.conf{,_bak}# 说明:# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。# listen-on port 53 { any; }; 。设置为所有IP地址均可访问# allow-query {any;} 设置为所有人都可以访问。[root@Centos7-1 ~]# vi /etc/named.conf// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//// See the BIND Administrator Reference Manual (ARM) for details about the// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions { # 设置为所有IP地址均可访问 listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # 设置为所有人都可以访问。 allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ # 配置 recursion, forward, forwarders 字段 recursion yes; forward first; forwarders { 114.114.114.114; 8.8.8.8; }; # 配置 dnssec-enable, dnssec-validation 字段 dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};# 关联 zones 文件include "/etc/named.rfc1912.zones";include "/etc/named.root.key"; # 5. 修改 zones 文件 及 解析文件 5.1 编辑 zone 文件[root@vm ~]# cp /etc/named.rfc1912.zones{,_bak}[root@vm ~]# cat >> /etc/named.rfc1912.zones << EOFzone "my-ocp-cluster.com" IN { type master; file "openshift.hosts"; allow-update { none; };};zone "134.0.11.10.in-addr.arpa" IN { type master; file "openshift.hosts.arpa"; allow-update { none; };};EOF 5.2 编辑正向解析文件 [root@vm ~]# vi /var/named/openshift.hosts$TTL 1D@ IN SOA @ root. ( 2019070700 ; serial 3H ; refresh 30M ; retry 2W ; expiry 1W ) ; minimum @ NS ns1.my-ocp-cluster.com. ns1 IN A 192.168.0.134 helper IN A 192.168.0.134 api IN A 192.168.0.134api-int IN A 192.168.0.134*.apps IN A 192.168.0.134bootstrap IN A 192.168.0.134master0 IN A 192.168.0.120master1 IN A 192.168.0.122master2 IN A 192.168.0.123worker0 IN A 192.168.0.124worker1 IN A 192.168.0.125 # 5.3 编辑反向解析文件[root@vm ~]# vi /var/named/openshift.hosts.arpa$TTL 1D@ IN SOA @ root. ( 2019070700 ; serial 3H ; refresh 30M ; retry 2W ; expiry 1W ) ; minimum@ IN NS ns1.my-ocp-cluster.com. 10 IN PTR api.my-ocp-cluster.com11 IN PTR api-int.my-ocp-cluster.com12 IN PTR bootstrap.my-ocp-cluster.com100 IN PTR master0.my-ocp-cluster.com101 IN PTR master1.my-ocp-cluster.com102 IN PTR master2.my-ocp-cluster.com103 IN PTR worker0.my-ocp-cluster.com104 IN PTR worker1.my-ocp-cluster.com # 添加完文件后修改文件属性[root@vm ~]# chown :named /var/named/openshift* # 6. 重启DNS服务[root@vm ~]# systemctl restart named# 检测配置文件[root@vm ~]# named-checkconf -z /etc/named.rfc1912.zones# 检测正向解析文件[root@vm ~]# named-checkzone my-ocp-cluster.com /var/named/openshift.hosts# 检测反向解析文件[root@vm ~]# named-checkzone 134.0.168.192.in-addr.arpa /var/named/openshift.hosts.arpa # 7. 分别配置集群其它节点DNS访问地址[root@vm ~]# vi /etc/resolv.conf[root@openshift-base ~]# cat /etc/resolv.conf# Generated by NetworkManagernameserver 192.168.0.133[root@vm ~]# vi /etc/sysconfig/network-scripts/ifcfg-ens3# 添加或修改如下内容(192.168.0.134为本机DNS所在机器ip)DNS1=192.168.0.134# 重启网络服务[root@vm ~]# systemctl restart network # 8. 正向检测解析# 其它按此方法域名依次检测即可[root@centos7 ~]# nslookup master0.my-ocp-cluster.comServer: 192.168.0.134Address: 192.168.0.134#53 Name: master0.my-ocp-cluster.comAddress: 192.168.0.120 # 9. 反向检测解析[root@openshift-base ocp]# nslookup 192.168.0.134 120.0.11.10.in-addr.arpa name = master0.my-ocp-cluster.com.1.1 关闭SELinux与防火墙(use)
[root@localhost ~]# setenforce 0[root@localhost ~]# systemctl stop firewalld# 永久关闭[root@localhost ~]# sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config[root@localhost ~]# systemctl disable firewalld
1.2 配置网卡
配置网卡,使其可以访问本地DNS, 详情可参考:Centos7修改DNS Server
windows修改DNS配置,可参考:win10修改DNS配置
[root@localhost ~]# vi /etc/sysconfig/network-scripts/ifcfg-eno16777736BOOTPROTO=staticONBOOT=yesIPADDR=192.168.1.1NETMASK=255.255.255.0DNS1=114.114.114.114DNS2=127.0.0.1 # 访问本地DNS服务
1.3 yum 安装DNS服务
安装bind包, vim包:
[root@localhost ~]# yum install -y bind* vim*# 查看bind是否完成[root@localhost yum.repos.d]# rpm -aq |grep bind# 状态管理systemctl enable named --nowsystemctl status namedsystemctl stop namedsystemctl start namedsystemctl restart named# 修改本机 nameserver [root@localhost yum.repos.d]# vi /etc/resolv.conf# Generated by NetworkManagernameserver 127.0.0.1
/etc/named.conf文件说明:
...... //略options{ listen-on port 53 { 127.0.0.1;); // 指定BIND侦听的DNS查询请求的本 // 机即P地址及端口listen-on-v6 port 53{::1;}; // 限于 IPv6directory "/var/named"; // 指定区域配置文件所在的路径dump-file "/var/named/data/cache_dump.db";statistics-file "/var/named/data/named_stats.txt";memstatistics-file "/var/named/data/named_mem_stats.txt";allow-query { localhost;}; // 指定接收DNS查询请求的客户端recursion yes;dnssec-enable yes;dnssec-validation yes; // 改为no可以忽略SELinux影响dnssec-lookaside auto;.....};// 以下用于指定BIND服务的日志参数logging { channel default debug { file "data/named.run"; severity dynamic; };};zone "." IN { // 用于指定根服务器的配置信息,一般不能改动type hint;file "named.ca";};include "/etc/named.zones"; // 指定主配置文件,一定根据实际修改include "/etc/named.root.key";/etc/named.rfc1912.zones文件说明:
// named.rfc1912.zones://// Provided by Red Hat caching-nameserver package//// ISC BIND named zone configuration for zones recommended by// RFC 1912 section 4.1 : localhost TLDs and address zones// and (c)2007 R W Franks//// See /usr/share/doc/bind*/sample/ for example named configuration files.//zone "localhost.localdomain" IN { type master; file "named.localhost"; allow-update { none; };};zone "localhost" IN { type master; file "named.localhost"; allow-update { none; };};zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "1.0.0.127.in-addr.arpa" IN { type master; file "named.loopback"; allow-update { none; };};zone "0.in-addr.arpa" IN { type master; file "named.empty"; allow-update { none; };};zone "ocp4.my-ocp-cluster.com" IN { // 正向解析,这里定义要访问的基域,例如 正向解析要访问*.ssx.com, 那么这里就要写成ssx.com type master; file "openshift.hosts"; allow-update { none; };};zone "134.0.11.10.in-addr.arpa" IN { // 这里定义要访问的反向解析地址 type master; file "openshift.hosts.arpa"; allow-update { none; };};查看DNS服务器IP地址信息:
[root@localhost ~]# vim /etc/sysconfig/network-scripts/ifcfg-ens33TYPE=EthernetPROXY_METHOD=noneBROWSER_ONLY=noDEFROUTE=yesIPV4_FAILURE_FATAL=noIPV6INIT=yesIPV6_AUTOCONF=yesIPV6_DEFROUTE=yesIPV6_FAILURE_FATAL=noIPV6_ADDR_GEN_MODE=stable-privacyNAME=ens33UUID=9f92031e-cb20-4cde-b796-6935a082ba86DEVICE=ens33# 检查项BOOTPROTO=staticONBOOT=yesIPADDR=192.168.10.1NETMASK=255.255.255.0GATEWAY=192.168.10.254DNS1=192.168.10.1
查看并检查配置的网络
[root@localhost ~]# ip add
1.4 配置示例1--use
1.4.1 编辑dns配置文件
[root@Centos7-1 ~]# cp /etc/named.conf /etc/named.conf-bak# or[root@Centos7-1 ~]# cp /etc/named.conf{,_bak}编辑 /etc/named.conf 文件:
# listen-on port 53 {192.168.80.150;}; 设置为本地的IP地址即可。# listen-on port 53 { any; }; 。设置为所有IP地址均可访问# allow-query {any;} 设置为所有人都可以访问。[root@Centos7-1 ~]# vi /etc/named.conf// named.conf//// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS// server as a caching only nameserver (as a localhost DNS resolver only).//// See /usr/share/doc/bind*/sample/ for example named configuration files.//// See the BIND Administrator's Reference Manual (ARM) for details about the// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.htmloptions { # 设置为所有IP地址均可访问 listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; # 设置为所有人都可以访问。 allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ # 配置 recursion, forward, forwarders 字段 recursion yes; forward first; forwarders { 114.114.114.114; 8.8.8.8; }; # 配置 dnssec-enable, dnssec-validation 字段 dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};zone "." IN { type hint; file "named.ca";};# 关联 zones 文件include "/etc/named.rfc1912.zones";include "/etc/named.root.key";include "/etc/named.zones";生成相应zones文件:
[root@Centos7-1 ~]#cp -p /etc/named.rfc1912.zones /etc/named.zones
编辑 named.zones文件:
[root@localhost ~]# vim /etc/named.zones# named.zones文件内容如下:zone "ssx.com" IN { // 正向根域文件的定义 type master; // 作为根域 file "ssx.com.hosts"; // 根域正向解析文件名};zone "10.168.192.in-addr.arpa" IN { // 反向根域文件的定义, 这里的10.168.192是ip的前几段(前几段都可以)的倒写 type master; // 作为根域 file "ssx.com.back"; // 根域反向解析文件名};检查主配置文件:
[root@localhost ~]# named-checkconf
1.4.2 配置正向解析文件
先将/var/named/named.localhost 进行复制到/var/named/ssx.com.hosts中,目的是为了保存文件格式:
[root@localhost ~]#cp -p /var/named/named.localhost /var/named/ssx.com.hosts
编辑ssx.com.hosts文件:
[root@localhost ~]# vim /var/named/ssx.com.hosts$TTL 1D@ IN SOA @ root.ssx.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ NS dns.ssx.com.dns IN A 10.11.0.133www IN A 10.11.0.133smb IN A 10.11.0.133ftp IN A 10.11.0.133# =========================================== ##或者$TTL 1D@ IN SOA @ root.ssx.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ NS dns.ssx.com.* IN A 10.11.0.133# 说明 $TTL 缓存生存周期 @ = zonename = ssx.com 当前域 IN 互联网 SOA 开始授权 NS dns服务器 A ipv4正向, 将域名转换为对应的IP地址 AAAA ipv6 CNAME 别名 MX 邮件交互记录 5 数字代表优先级, 数字越小优先级越高 PTR 将IP地址转换为对应的域名 0 ; serial --更新序列号,可以是 10 位以内的整数 1D ; refresh --刷新时间,重新下载地址数据的间隔 1H ; retry --重试延时,下载失败后的重试间隔 3D ; expire --失效时间,超过该时间仍无法下载则放弃 1D ) ; minimum 无效解析记录的生存周期 @代表zone的意思,现在@代表ssx.com.; SOA代表资源记录的名称为起始授权记录; root.ssx.com.表示有问题找该管理员; 0代表序列号; 1D代表更新频率为1天; 1H代表失败重新尝试时间为1小时; 3W代表失效时间为1周; 3H代表缓存时间为3小时
@dns.ssx.com. 是你的主机名加上域名(注意细节com.的点点)
然后添加主机记录
NS dns.ssx.com. 本机的域名 dns A 192.168.10.100 dns为ssx.com的域名前坠,对应着192.168.10.100 www A 192.168.10.101 www为ssx.com的域名前坠,对应着192.168.10.101 ftp A 192.168.10.103 ftp为ssx.com的域名前坠,对应着192.168.10.103
检查正向解析文件
[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hostszone ssx.com/IN: loaded serial 0OK
1.4.3 配置反向解析文件
先将正向解析文件拷贝至/var/named/ssx.com.back
[root@localhost ~]#cp -p /var/named/ssx.com.hosts /var/named/ssx.com.back
[root@localhost ~]# vi /var/named/ssx.com.back$TTL 1D@ IN SOA @ root.ssx.com. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum@ IN NS dns.ssx.com.100 IN PTR dns.ssx.com101 IN PTR IN PTR smb.ssx.com103 IN PTR
检查反向解析文件:
[root@localhost ~]# named-checkzone 10.168.192.in-addr.arpa /var/named/ssx.com.backzone 10.168.192.in-addr.arpa/IN: loaded serial 0OK
1.4.4 启动named服务
[root@localhost ~]# systemctl start named [root@localhost ~]# systemctl restart named [root@localhost ~]# systemctl status namednamed.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled) Active: active (running) since 日 2019-06-02 14:03:52 CST; 5s ago Process: 4860 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 3348 ExecReload=/bin/sh -c /usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 4872 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=0/SUCCESS) Process: 4870 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 4874 (named) Tasks: 4 CGroup: /system.slice/named.service └─4874 /usr/sbin/named -u named -c /etc/named.conf6月 02 14:03:52 named[4874]: zone 10.168.192.in-addr.arpa/IN: loaded ... 06月 02 14:03:52 named[4874]: zone 1.0.0.127.in-addr.arpa/IN: loaded s... 06月 02 14:03:52 named[4874]: zone localhost.localdomain/IN: loaded se... 06月 02 14:03:52 named[4874]: zone ssx.com/IN: loaded serial 06月 02 14:03:52 named[4874]: zone localhost/IN: loaded serial 06月 02 14:03:52 named[4874]: all zones loaded6月 02 14:03:52 named[4874]: running6月 02 14:03:52 systemd[1]: Started Berkeley Internet Name Domain (DNS).6月 02 14:03:52 named[4874]: zone ssx.com/IN: sending notifies (serial 0)6月 02 14:03:52 named[4874]: zone 10.168.192.in-addr.arpa/IN: sending...0)Hint: Some lines were ellipsized, use -l to show in full.1.4.5 检测正向解析
[root@centos7 ~]# nslookup smb.ssx.comServer: 127.0.0.1Address: 127.0.0.1#53 Name: smb.ssx.comAddress: 192.168.10.102
1.4.6 检测反向解析
[root@localhost ~]# nslookup 192.168.10.101Server: 192.168.10.200Address: 192.168.10.200#53101.10.168.192.in-addr.arpa name = .
1.4.7Linux客户机测试
Client1与DNS服务器的通信畅通
客户机操作:
[root@Client1 ~]# vim /etc/resolv.confnameserver 192.168.10.100search ssx.com
Linux客户机关闭防火墙
[root@Client1 ~]#systemctl stop firewalld
客户机验证
[root@client1 ~]# nslookup > server // 显示真实本机NDS server信息> // 显示真实本机配置信息> 192.168.10.102 // 显示真实本机配置信息
1.5 配置示例2
1.5.1 编辑主配置文件(named.conf)
[root@localhost ~]# vim /etc/named.confoptions { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};1.5.2 编辑区域配置文件(named.rfc1912.zones)
[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN { type master; file "infanx.com.loopback"; allow-update { none; };};zone "infanx.com" IN { type master; file "infanx.com.empty"; allow-update { none; };};1.5.3 编辑正反向配置文件
[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost infanx.com.empty[root@localhost named]# cp -p named.loopback infanx.com.loopback
正向文件:
$TTL 1D@ IN SOA ns1.infanx.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1 IN NS ns2ns1 IN A 192.168.1.1ns2 IN A 192.168.1.2www IN A 192.168.1.100bbs IN CNAME wwwftp IN A 192.168.1.110mail IN MX 10 192.168.1.120
反向文件:
$TTL 1D@ IN SOA ns1.infanx.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.infanx.com. IN NS ns2.infanx.com.1 IN PTR ns1.infanx.com.2 IN PTR ns2.infanx.com.100 IN PTR IN PTR bbs.infanx.com.110 IN PTR IN PTR mail.infanx.com.
1.6 配置示例3
1.6.1 编辑主配置文件(named.conf)
默认配置即可:
[root@localhost ~]# vim /etc/named.confoptions { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursing-file "/var/named/data/named.recursing"; secroots-file "/var/named/data/named.secroots"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; forward first; forwarders { 114.114.114.114; 8.8.8.8; }; dnssec-enable no; dnssec-validation no; /* Path to ISC DLV key */ bindkeys-file "/etc/named.root.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};logging { channel default_debug { file "data/named.run"; severity dynamic; };};1.6.2 编辑区域配置文件(named.rfc1912.zones)
[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "api.crc.testing" IN { type master; file "api.crc.testing.zone"; allow-update { none; };};zone "console-openshift-console.apps-crc.testing" IN { type master; file "console-openshift-console.apps-crc.testing.zone"; allow-update { none; };};1.6.3 编辑正反向配置文件
[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost console-openshift-console.apps-crc.testing.zone[root@localhost named]# cp -p named.loopback api.crc.testing.zone
正向文件:
vi api.crc.testing.zone
$TTL 1D@ IN SOA ns1.infanx.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1 IN NS ns2ns1 IN A 192.168.1.1ns2 IN A 192.168.1.2www IN A 192.168.1.100bbs IN CNAME wwwftp IN A 192.168.1.110mail IN MX 10 192.168.1.120
反向文件:
$TTL 1D@ IN SOA ns1.infanx.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1.infanx.com. IN NS ns2.infanx.com.1 IN PTR ns1.infanx.com.2 IN PTR ns2.infanx.com.100 IN PTR IN PTR bbs.infanx.com.110 IN PTR IN PTR mail.infanx.com.
1.6.4 检查正向解析文件
[root@localhost ~]# named-checkzone ssx.com /var/named/ssx.com.hosts
1.7 重启DNS服务
[root@localhost named]# systemctl restart named
1.8 测试解析记录
按照1.5章节配置结果进行配置:
[root@localhost named]# nslookup> ns1.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Name: ns1.infanx.comAddress: 192.168.1.1 > ns2.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Name: ns2.infanx.comAddress: 192.168.1.2 > : 192.168.1.1Address: 192.168.1.1#53Name: : 192.168.1.100 > bbs.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53bbs.infanx.com canonical name = : : 192.168.1.100 > : 192.168.1.1Address: 192.168.1.1#53Name: : 192.168.1.110 > mail.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Name: : 192.168.1.120 > 192.168.1.1 Server: 192.168.100.100Address: 192.168.100.100#531.1.168.192.in-addr.arpa name = ns1.infanx.com. > 192.168.1.2Server: 192.168.100.100Address: 192.168.100.100#532.1.168.192.in-addr.arpa name = ns2.infanx.com. > 192.168.1.100Server: 192.168.100.100Address: 192.168.100.100#53100.1.168.192.in-addr.arpa name = bbs.infanx.com.100.1.168.192.in-addr.arpa name = . > 192.168.1.110Server: 192.168.100.100Address: 192.168.100.100#53110.1.168.192.in-addr.arpa name = . > 192.168.1.120Server: 192.168.100.100Address: 192.168.100.100#53120.1.168.192.in-addr.arpa name = mail.infanx.com.
其他示例参考1: 其他示例参考2:CentOS7.9搭建主DNS服务器 正反向解析
二、缓存DNS(转发器)(选做)
在第二台服务器上安装DNS服务 作为主DNS服务器的缓存DNS
2.1 服务配置
安装DNS服务
编辑主配置文件
[root@localhost ~]# vim /etc/named.confoptions { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; recursion yes; forwarders { 192.168.1.1; }; //指明转发器是谁 forward first; //first:优先使用转发器,如果查询不到再使用本地DNS; //only:仅使用转发器,如果查询不到则返回DNS客户端查询失败; dnssec-enable no; dnssec-validation no; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key";};或者编辑区域配置文件 配置局部转发器 原理同上
[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "infanx.com" IN { type forward; forwarders { 192.168.1.1; }; forward first;};重启DNS服务
进入slaves文件夹验证
[root@localhost ~]# cd /var/named/slaves[root@localhost slaves]# ll总用量 8-rw-r--r--. 1 named named 466 2月 17 00:00 infanx.com.empty-rw-r--r--. 1 named named 466 2月 17 00:00 infanx.com.loopback
三、辅助DNS(DNS集群)(选做)
3.1 题目要求
主DNS正反向文件中分别添加辅助DNS的 NS记录 和 A记录
3.2 服务配置
安装DNS服务 编辑区域配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "1.168.192.in-addr.arpa" IN { type slave; file "slaves/infanx.com.loopback"; masters { 192.168.1.1; };};zone "infanx.com" IN { type slave; file "slaves/infanx.com.empty"; masters { 192.168.1.1; };};zone “区域名称” IN {
type slave; //区域类型为辅助
file “slaves/文件名”; //文件必须保存在slaves下,其他目录没有权限
masters { IP1; IP2; }; //指出主服务器是谁
};
在主DNS上修改区域文件时,必须将SOA记录的serial加1,因为slave是通过serial值来进行判断更新的。
四、子DNS(子域授权)(选做)
父DNS配置DNS基础的正向解析文件
父DNS进行子域授权
4.1 服务配置
子域服务器安装DNS
编辑父域正向文件添加NS记录指向子域主DNS
frp IN NS ns1.frpns1.frp IN A 192.168.1.200
子域编辑区域配置文件
[root@localhost ~]# vim /etc/named.rfc1912.zoneszone "frp.infanx.com" IN { type master; file "frp.infanx.com.empty"; allow-update { none; };};为子域创建正向文件并添加解析记录
[root@localhost ~]# cd /var/named[root@localhost named]# cp -p named.localhost frp.infanx.com.empty[root@localhost named]# vim frp.infanx.com.empty$TTL 1D@ IN SOA ns1.frp.infanx.com. rname.invalid. ( 0 ; serial 1D ; refresh 1H ; retry 1W ; expire 3H ) ; minimum IN NS ns1ns1 IN A 192.168.1.200nj IN A 192.168.1.201hz IN A 192.168.1.202sh IN A 192.168.1.203
重启服务并测试
[root@localhost named]# systemctl restart named[root@localhost named]# nslookup> ns1.frp.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Non-authoritative answer:Name: ns1.frp.infanx.comAddress: 192.168.100.200 > nj.frp.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Non-authoritative answer:Name: nj.frp.infanx.comAddress: 192.168.1.201 > hz.frp.infanx.com Server: 192.168.1.1Address: 192.168.1.1#53Non-authoritative answer:Name: hz.frp.infanx.comAddress: 192.168.1.202 > sh.frp.infanx.comServer: 192.168.1.1Address: 192.168.1.1#53Non-authoritative answer:Name: sh.frp.infanx.comAddress: 192.168.1.203
版权声明:
本站文章均来自互联网搜集,如有侵犯您的权益,请联系我们删除,谢谢。
标签: #centos7无法解析域名
